Message Transmission and Key Establishment: Conditions for Equality of Weak and Strong Capacities Hadi Ahmadi University of Calgary (joint work with Reihaneh Safavi-Naini) October 25, 2012 1 / 20
Overview Secrecy capacity ◮ Secure message transmission (SMT) over wiretap channel [Wy75,CK78]. ◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. 2 / 20
Overview Secrecy capacity ◮ Secure message transmission (SMT) over wiretap channel [Wy75,CK78]. ◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? 3 / 20
Overview Secrecy capacity ◮ Secure message transmission (SMT) over wiretap channel [Wy75,CK78]. ◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? infinite! 4 / 20
Overview Secrecy capacity ◮ Secure message transmission (SMT) over wiretap channel [Wy75,CK78]. ◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? infinite! ◮ Say how may message bits per channel use? That is secrecy capacity! 5 / 20
Overview Secrecy capacity ◮ Secure message transmission (SMT) over wiretap channel [Wy75,CK78]. ◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ Secrecy capacity (the highest transmission rate) is derived as C wc ws = U ↔ X ↔ ( Y , Z ) I ( U ; Y ) − I ( U ; Z ) . max 6 / 20
Overview SK capacity ◮ Secret key agreement (SKE) over noisy channels [Ma93,AC93]. ◮ Alice and Bob want to share a key that stays private from Eve. ◮ Secret key (SK) capacity: highest key rate in bits/channel use. ◮ SKE is like SMT in the wiretap channel setting. C wc wsk = C wc ws 7 / 20
Overview SK capacity ◮ Secret key agreement (SKE) over noisy channels [Ma93,AC93]. ◮ Alice and Bob want to share a key that stays private from Eve. ◮ Secret key (SK) capacity: highest key rate in bits/channel use. ◮ SKE is like SMT in the wiretap channel setting. C wc wsk = C wc ws ◮ By adding public discussion SK capacity increases. C wc + pdc ≥ C wc wsk wsk 8 / 20
Overview weak/strong SK capacity ◮ From weak to strong security in SKE [MW00]. ◮ Motivation: use of weak security (negligible leakage rate). ◮ Proposal: define strong security (negligible absolute leakage). ◮ Problem: relation between the two. Definition (Weak SK capacity) Requiring S A ≈ S B such that weak secrecy: I ( S A ; View E ) ≤ H ( S A ) δ . Definition (Strong SK capacity) Requiring uniform S A ≈ S B such that strong secrecy: I ( S A ; View E ) ≤ δ . Note: Similarly one can define weak and strong secercy capacities. 9 / 20
Motivation to our work ◮ Maurer and Wolf [MW00] prove strengthening security is doable without sacrificing the key rate: C wc + pdc = C wc + pdc C wc wsk = C wc ssk , wsk ssk ◮ Followup research studied weakly secure SKE in new setups. ◮ Not clear whether these results also holds for strong security. Question1: What are general conditions for the equality of weak and strong SK capacities? Question2: What about weak and strong secrecy capacities (for message transmission)? 10 / 20
Part 1: Equality conditions for SK capacity The MW approach ◮ For equality conditions of SK capacity, we revisit the MW proof. ◮ The proof is quite generic: slight modification makes it work for many other setups. ◮ But it does not apply to ALL existing setups ◮ The MW approach has two phases: Ph1 Equality of weak and uniform SK capacities. ◮ This is general: works for any DM setup. Ph2 Construction of strong protocols from uniform ones. ◮ Relies on implicit assumptions... Let’s see what is inside this phase! 11 / 20
Part 1: Equality conditions for SK capacity Phase 2 of the MW approach ◮ Four steps to make a strong protocol from a uniform one: S1 Independent repetition of uniform protocol n times: S A , S B ◮ Cost is n times that of the uniform protocol. S2 Information reconciliation by universal hashing: S A ≈ S B ◮ Resources to send function description, say l bits. S3 Privacy amplification by a seeded extractor: S = Ext ( R , S A ) ◮ Resources to generate random seed, say r bits. ◮ Resources to send r -bit random seed. S4 Uniformization to make key uniform: H ( S ) = log |S| . ◮ Free: does not require resource. 12 / 20
Part 1: Equality conditions for SK capacity Phase 2 of the MW approach ◮ Four steps to make a strong protocol from a uniform one: S1 Independent repetition of uniform protocol n times: S A , S B ◮ Cost is n times that of the uniform protocol. S2 Information reconciliation by universal hashing: S A ≈ S B ◮ Resources to send function description, say l bits. S3 Privacy amplification by a seeded extractor: S = Ext ( R , S A ) ◮ Resources to generate random seed, say r bits. ◮ Resources to send r -bit random seed. S4 Uniformization to make key uniform: H ( S ) = log |S| . ◮ Free: does not require resource. ◮ Proof sketch: By choosing n sufficiently large, ◮ the parameters l and r become negligible in cost, and ◮ The key size is close to n time that of uniform protocol. ◮ hence the key rate stays the same. 13 / 20
Part 1: Equality conditions for SK capacity Modified proof sketch ◮ Assumptions made by the MW approach: ◮ Channel with positive (reliability) capacity. ◮ Free local source of randomness. ◮ The assumptions do not hold in all setups, e.g., ◮ Two-way wiretap channels [AS11] with zero reliability capacity. ◮ Secret key from noise [AS11*] with no random source. ◮ Are both assumptions necessary conditions? ◮ We remove the first assumption, i.e., need for randomness. ◮ Trick: using a two-source extractor for privacy amplification. 14 / 20
Part 1: Equality conditions for SK capacity Modified proof sketch ◮ Our steps to make a strong protocol from a uniform one. S1 Independent repetition of uniform protocol 2 n times: ◮ Alice has ( S A , 1 , S A , 2 ) and Bob has ( S B , 1 , S B , 2 ). ◮ Cost is 2 n times that of the uniform protocol. S2 Information reconciliation by universal hashing: S A ≈ S B ◮ Gives ( S A , 1 , S A , 2 ) ≈ ( S B , 1 , S B , 2 ). ◮ Resources to send function description, say 2 l bits. S3 Privacy amplification by a two-source extractor: ◮ Gives S = TExt ( S A , 1 , S A , 2 ). ◮ Free: does not require resource. S4 Uniformization to make key uniform: H ( S ) = log |S| . ◮ Free: does not require resource. ◮ Reliable transmission however is still needed. 15 / 20
Part 1: Equality conditions for SK capacity Modified proof sketch ◮ Our steps to make a strong protocol from a uniform one. S1 Independent repetition of uniform protocol 2 n times: ◮ Alice has ( S A , 1 , S A , 2 ) and Bob has ( S B , 1 , S B , 2 ). ◮ Cost is 2 n times that of the uniform protocol. S2 Information reconciliation by universal hashing: S A ≈ S B ◮ Gives ( S A , 1 , S A , 2 ) ≈ ( S B , 1 , S B , 2 ). ◮ Resources to send function description, say 2 l bits. S3 Privacy amplification by a two-source extractor: ◮ Gives S = TExt ( S A , 1 , S A , 2 ). ◮ Free: does not require resource. S4 Uniformization to make key uniform: H ( S ) = log |S| . ◮ Free: does not require resource. ◮ Reliable transmission however is still needed. Conclusion: Weak and strong SK capacities equal in any discrete memoryless setup that allows reliable transmission. 16 / 20
Part 2: Equality conditions for secrecy capacity Proof sketch ◮ Steps for strong transmission protocol from weak one. S1 Expansion of message by extractor inversion. ◮ Resources to generate random bits for expansion, say r bits. S2 Split: message in to pieces and send by weak protocol. ◮ Cost equals that of weak protocol. S3 Information reconciliation: to make key uniform. ◮ Resources to send function description, say l bits. S4 Extraction: of message by two-source extractor. ◮ Free: does not require resource. ◮ Reliable transmission requirement can be removed: A setup with weak secrecy capacity always allows reliable transmission. ◮ Randomness generation however is needed. Conclusion: Weak and strong secrecy capacities equal in any discrete memoryless setup that lets sender generate randomness. 17 / 20
Conclusion ◮ SMT vs. SKE: duality Requirement MW approach Our approach Our approach (SK) (SK) (Secrecy) required - required Randomness access Reliable transmission required required - ◮ Equality conditions: Sufficient but not necessary, e.g., ◮ Noisy two-way two-way channel Y A = Y B = X A + X B + N and Y E = f ( Y A ) where N is uniform. ◮ Secure channel Y B = X A + N ′ and Y E = ⊥ , and no randomness. 18 / 20
Recommend
More recommend
